By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to specify user group attribute for access control

0

I have sycned up AD users and groups to IAM identity center already, and i'd like to control S3 bucket access based on User group. For example, there are two groups bigdata and operation, how can i specify the key-value on IAM Identity center attribute access controlEnter image description here

I tried to hard code the value like Department=bigdata. But it's required to use dynamic expression since different user belongs to different groups. I searched IAM Identity Center official doc, but i can't find who to describe group name with supported placeholder

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
neal
asked 8 days ago66 views
1 Answer
0

Hi Neal, The way ABAC (Attribute-based access control) is based on Tags, check this 1 and 2 , this is an example of s3 policy:

{ "Version": "2012-10-17", "Statement": [ { "Principal": { "AWS": [ "arn:aws:iam::111122223333:role/JohnDoe" ] }, "Effect": "Allow", "Action": ["s3:GetObject", "s3:GetObjectVersion"], "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*", "Condition": { "StringEquals": {"s3:ExistingObjectTag/Department": "bigdata"} } } ] }

AWS
Frank
answered 7 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content